SSH Packet

Encryption in transit

The diagram at the left hand side shows all the components of a SSH packet. The diagram at the right hand side shows only Packet Length and Message Authentication Code are unencrypted when the SSH packet is transmitted over the Computer Network.

Packet ComponentPurpose
Packet LengthIndicates the total length of the packet in Byte (excluding the length field itself).
Padding amountDetermines the size of padding.
PayloadThe actual data being transmitted. Usually compressed with a tool like zlib - Wikipedia.
PaddingRandomly generated bytes used to obscure the true length of the payload, making it harder to analyze the traffic.
Message Authentication CodeA Hash Digest calculated using the packet contents and a shared secret key. This ensures the packet hasn’t been tampered with and originates from the correct sender.

A Digital Signature if Public-key Cryptography Authentication is used.

SSH Channel

  • A single SSH connection can be multiplexed into multiple SSH channels simultaneously, each transferring various types of data bidirectionally


Session Channel

  • Channel used for running commands on remote Host

Port Forwarding Channel

X11 Channel

  • Forwarding X11 (graphical user interface) traffic, allowing remote X11 applications to be displayed on the local machine

SSH Public-key Cryptography Authentication

Why not just use the good old username and password?

First, password is vulnerable to brute-force attacks, you know users tend to set weak passwords :)

Second, we may have multiple users accessing the same remote server account. Using password means all users share the same password, on the other hand, with public-key, each user has his own private key to access the remote server. When we want to remove a user’s access, we just need to remove his public key from the remote server.

Setup Public-key Cryptography Authentication

  1. Generate Public Key and Private Key using EdDSA, ED25519 (Much shorter key than RSA with the same level of encryption)
ssh-keygen -t ed25519 -C "YOUR_COMMENT" # ed25519 keys are a lot shorter than rsa keys without sacrificing security
  1. Copy the public key(the key ends with .pub) to the remote Host (Should be stored inside ~/.ssh/authorized_keys by default)
ssh-copy-id -i /path/to/your/public_key username@remote_hostname
  1. Disable password authentication & enable public key authentication. Modify /etc/ssh/sshd_config, uncomment and set the following attributes
PasswordAuthentication no
PubkeyAuthentication yes
  1. Restart the SSH server on the remote host
# Linux
sudo systemctl restart sshd
# MacOS
sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd
  1. SSH into remote host with private key!
ssh -i /path/to/your/private_key username@remote_hostname